---
- branch: MAIN
  date: Fri Feb  2 07:55:34 UTC 2018
  files:
  - new: '1.96'
    old: '1.95'
    path: pkgsrc/www/py-django/Makefile
    pathrev: pkgsrc/www/py-django/Makefile@1.96
    type: modified
  - new: '1.75'
    old: '1.74'
    path: pkgsrc/www/py-django/distinfo
    pathrev: pkgsrc/www/py-django/distinfo@1.75
    type: modified
  id: 20180202T075534Z.924caad812320627554acb104636a1e38b05c822
  log: "py-django: updated to 1.11.10\n\n1.11.10:\n\nCVE-2018-6188: Information leakage
    in AuthenticationForm\n\nA regression in Django 1.11.8 made AuthenticationForm
    run its confirm_login_allowed() method even if an incorrect password is entered.
    This can leak information about a user, depending on what messages confirm_login_allowed()
    raises. If confirm_login_allowed() isn窶å\x86² overridden, an attacker enter
    an arbitrary username and see if that user has been set to is_active=False. If
    confirm_login_allowed() is overridden, more sensitive details could be leaked.\n\nThis
    issue is fixed with the caveat that AuthenticationForm can no longer raise the
    窶å¼\x8Bhis account is inactive.窶� error if the authentication backend rejects
    inactive users (the default authentication backend, ModelBackend, has done that
    since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address
    the caveat will likely be too invasive for inclusion in older versions.\n\nBugfixes:\nFixed
    incorrect foreign key nullification if a model has two foreign keys to the same
    model and a target model is deleted.\nFixed a regression where contrib.auth.authenticate()
    crashes if an authentication backend doesn窶å\x86² accept request and a later
    one does.\nFixed crash when entering an invalid uuid in ModelAdmin.raw_id_fields\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/py-django'
  unixtime: '1517558134'
  user: adam